[one-users] ssh password less login not function

Valentin Bud valentin.bud at gmail.com
Thu Oct 3 21:39:07 PDT 2013


Hi Amier,


On Thu, Oct 3, 2013 at 1:35 PM, Amier Anis <mymabma at gmail.com> wrote:

> HI team,
>
> once opennebula-common create oneadmin, Is there any issue if i reset the
> oneadmin password?
>

The OS one or the OpenNebula one via oneuser? No problem in either case
just make
sure to update ~/.one/one_auth if you change oneadmin's ONE password.


>
> Is there any require password-less from workers to management node?
>

If management is also a node and you want live migration to work, yes, you
have to provide that.


Good Will,


>
>
>
> On Wed, Oct 2, 2013 at 5:02 PM, Amier Anis <mymabma at gmail.com> wrote:
>
>> I don't think that selinux is the issue as I can ssh with password-less
>> without issue if no opennebula installed.
>> I also has tried using "setenforce 0" and still have same issue. (i try
>> diffrent machine)
>>
>> [oneadmin at mnode lib]$ /usr/sbin/sestatus
>> SELinux status:                 disabled
>>
>>
>> I has tried both let the opennebula-common created the user or i manually
>> created. same issue.
>> This is how I install opennebula and the component:-
>>
>> yum -y install opennebula-server opennebula-sunstone opennebula-ozones
>> opennebula-gate opennebula-flow opennebula-node-kvm
>>
>>
>> Yes, i have all the file in the ~/.ssh
>>
>> [oneadmin at mnode .ssh]$ ls -l
>> total 16
>> -rw------- 1 oneadmin oneadmin  406 Oct  2 10:19 authorized_keys
>> -rw------- 1 oneadmin oneadmin   61 Oct  2 03:08 config
>> -rw------- 1 oneadmin oneadmin 1675 Oct  2 10:19 id_rsa
>> -rw------- 1 oneadmin oneadmin  406 Oct  2 10:19 id_rsa.pub
>>
>> I try to ssh -v node01 ... this error come out. however, this error not
>> appear at the first place.
>>
>> -bash-4.1$ ssh -v 10.86.3.101
>>
>> OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
>>
>> debug1: Reading configuration data /var/lib/one/.ssh/config
>>
>> debug1: Reading configuration data /etc/ssh/ssh_config
>>
>> debug1: Applying options for *
>>
>> debug1: Connecting to 10.86.3.101 [10.86.3.101] port 22.
>>
>> debug1: Connection established.
>>
>> debug1: identity file /var/lib/one/.ssh/identity type -1
>>
>> debug1: identity file /var/lib/one/.ssh/id_rsa type 1
>>
>> debug1: identity file /var/lib/one/.ssh/id_dsa type -1
>>
>> debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
>>
>> debug1: match: OpenSSH_5.3 pat OpenSSH*
>>
>> debug1: Enabling compatibility mode for protocol 2.0
>>
>> debug1: Local version string SSH-2.0-OpenSSH_5.3
>>
>> debug1: SSH2_MSG_KEXINIT sent
>>
>> debug1: SSH2_MSG_KEXINIT received
>>
>> debug1: kex: server->client aes128-ctr hmac-md5 none
>>
>> debug1: kex: client->server aes128-ctr hmac-md5 none
>>
>> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
>>
>> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
>>
>> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
>>
>> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
>>
>> debug1: Host '10.86.3.101' is known and matches the RSA host key.
>>
>> debug1: Found key in /var/lib/one/.ssh/known_hosts:1
>>
>> debug1: ssh_rsa_verify: signature correct
>>
>> debug1: SSH2_MSG_NEWKEYS sent
>>
>> debug1: expecting SSH2_MSG_NEWKEYS
>>
>> debug1: SSH2_MSG_NEWKEYS received
>>
>> debug1: SSH2_MSG_SERVICE_REQUEST sent
>>
>> debug1: SSH2_MSG_SERVICE_ACCEPT received
>>
>> debug1: Authentications that can continue:
>> publickey,gssapi-keyex,gssapi-with-mic,password
>>
>> debug1: Next authentication method: gssapi-keyex
>>
>> debug1: No valid Key exchange context
>>
>> debug1: Next authentication method: gssapi-with-mic
>>
>> debug1: Unspecified GSS failure.  Minor code may provide more information
>>
>> Bad format in credentials cache
>>
>> debug1: Unspecified GSS failure.  Minor code may provide more information
>>
>> Bad format in credentials cache
>>
>> debug1: Unspecified GSS failure.  Minor code may provide more information
>>
>> debug1: Unspecified GSS failure.  Minor code may provide more information
>>
>> Bad format in credentials cache
>>
>> debug1: Next authentication method: publickey
>>
>> debug1: Trying private key: /var/lib/one/.ssh/identity
>>
>> debug1: Offering public key: /var/lib/one/.ssh/id_rsa
>>
>> debug1: Authentications that can continue:
>> publickey,gssapi-keyex,gssapi-with-mic,password
>>
>> debug1: Trying private key: /var/lib/one/.ssh/id_dsa
>>
>> debug1: Next authentication method: password
>>
>>
>> Which is better I export /var/lib/one to every workers node or manually
>> export to each workers?
>>
>> Thanks you.
>>
>> Regards & Best Wishes,
>>
>>
>> *.: Amier Anis :.*
>> Mobile: +6012-260-0819
>> On Wed, Oct 2, 2013 at 3:40 PM, Valentin Bud <valentin.bud at gmail.com>wrote:
>>
>>> Hello Amier,
>>>
>>>
>>> On Wed, Oct 2, 2013 at 10:27 AM, Amier Anis <mymabma at gmail.com> wrote:
>>>
>>>> Hi valentin,
>>>>
>>>> Yes, I'm using packaging from opennebula repo and no error during
>>>> install either i created the oneadmin first before install or automatic
>>>> created by the installer.
>>>>
>>>> yum -y install opennebula-server opennebula-sunstone opennebula-ozones
>>>> opennebula-gate opennebula-flow opennebula-node-kvm
>>>>
>>>>
>>> The opennebula-common package provides the user oneadmin so no need to
>>> create it manually. The opennebula-common is required by
>>> opennebula-server so no need to install it manually.
>>>
>>>
>>>>
>>>> I also has remove selinux from the system.
>>>>
>>>> yum -y remove selinux-policy
>>>>
>>>>
>>> Have you rebooted you system afterwards?
>>>
>>>
>>>>
>>>> Yes, I already configure
>>>> ~/.ssh/config
>>>>
>>>> [oneadmin at mnode]$ vi ~/.ssh/config
>>>>  Host *
>>>>         StrictHostKeyChecking no
>>>>         UserKnownHostsFile /dev/null
>>>>   ControlMaster auto
>>>> ControlPath /tmp/%r@%h:%p
>>>>
>>>
>>> This looks OK.
>>>
>>> I suggest you remove the packages yum -y remove opennebula-\* and remove
>>> the oneadmin user, rm -rf /var/lib/one, reboot the machine and start
>>> from scratch. Let the packages deal with user creation. After that on
>>> mnode you should have the oneadmin public/private keys in
>>> ~/.ssh and the public key in ~/.ssh/authorized_keys. You can config ssh
>>> and try to ssh localhost.
>>>
>>> WARNING: don't remove the /var/lib/one directory if you have precious
>>> data in there.
>>>
>>> If that doesn't work config sshd to LogLevel DEBUG3 and watch what the
>>> logs say. Also take a look at /var/log/audit/audit.log.
>>> It might shed some light.
>>>
>>> Good Will,
>>>
>>>
>>>>
>>>> Thanks you.
>>>>
>>>> *.: Amier Anis :.*
>>>> Mobile: +6012-260-0819
>>>>
>>>> On Wed, Oct 2, 2013 at 2:58 PM, Valentin Bud <valentin.bud at gmail.com>wrote:
>>>>
>>>>> Hello Amier,
>>>>>
>>>>>
>>>>> On Wed, Oct 2, 2013 at 9:16 AM, Amier Anis <mymabma at gmail.com> wrote:
>>>>>
>>>>>> *Hi Guys,*
>>>>>>
>>>>>> I'm having issue with ssh password less login not function correctly.
>>>>>> It's work with fresh install CentOS 6.4 before install opennebula.
>>>>>> Once opennebula started, it doesn't work any more. The workers node can
>>>>>> login with less password without any issue but management node can't login
>>>>>> to worker nodes.
>>>>>>
>>>>>
>>>>> I see you're using CentOS as OS. Have you installed OpenNebula from
>>>>> packages [1]? Have you configured SSH as
>>>>> pointed in [1]. I mean the
>>>>> ~/.ssh/config part.
>>>>>
>>>>> Another important aspect is SELINUX. Is it on or off? If it on check
>>>>> the /var/lib/one/.ssh context, it should have ssh_home_t as label.
>>>>> You can accomplish that using
>>>>> chcon -R -t ssh_home_t /var/lib/one/.ssh as either oneadmin or root.
>>>>>
>>>>>
>>>>>>
>>>>>> At first attempt, I install opennebula then setup the ssh-keygen to
>>>>>> oneadmin (created during installation) and I also hv tried to create
>>>>>> oneadmin first then install opennebula but both failed
>>>>>>
>>>>>
>>>>>> If the mgmt server can ssh with password less to workers then the
>>>>>> mgmt server can't ssh to itself as the mgmt server also have the vm.
>>>>>>
>>>>>
>>>>> I suggest you install OpenNebula from packages and work your way up
>>>>> from there. Don't forget to check the SELINUX context of oneadmin's ~/.ssh
>>>>> and either SSH to
>>>>> hosts in advance or configure SSH via ~/.ssh/config to allow
>>>>> connections without StrictHostKeyChecking.
>>>>>
>>>>>
>>>>>>
>>>>>> *My Setup*
>>>>>>
>>>>>>    1. I only export and share /var/lib/one/datastores to every
>>>>>>    workers
>>>>>>    2. authorized_keys has been export to every wokers vice versa.
>>>>>>    3. declared every hostname in /etc/hosts
>>>>>>
>>>>>> Is there any issue or things that i need to look into it.
>>>>>>
>>>>>> Thanks you.
>>>>>>
>>>>> If you need more help in the future be sure to come back and ask for
>>>>> it :). Enjoy.
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> *.: Amier Anis :.*
>>>>>> Mobile: +6012-260-0819
>>>>>>
>>>>>
>>>>> [1]:
>>>>> http://opennebula.org/documentation:rel4.2:ignc#centos_platform_notes
>>>>>
>>>>>
>>>>> Good Will,
>>>>> --
>>>>> Valentin Bud
>>>>> http://databus.pro | valentin at databus.pro
>>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Valentin Bud
>>> http://databus.pro | valentin at databus.pro
>>>
>>
>>
>


-- 
Valentin Bud
http://databus.pro | valentin at databus.pro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20131004/02b6bc4a/attachment-0002.htm>


More information about the Users mailing list